Analysis of .Net Deucalion IrcBot Sample Obfuscated with ConfuserEx+KoiVM

In this post I perform a quick analysis of a sample that seems to be an ircbot, named alphaircbot (based on the any.run tags) or deucalion (based on the internal .net classes names and deobfuscated strings). The malware family itself doesn't seem specially interesting, however, it is obfuscated with ConfuserEx obfuscator + KoiVM virtualization.

It was quite hard for me to deal with the obfuscated code, and debug it with dnSpy or similar tools to get the original assembly. I decided to use Windbg's sos extension to walk the loaded assemblies and to find the dynamic assemblies belonging to the original malware code. With this extension it is possible to enum the method tables foreach assembly and the stacks foreach thread that is executing managed code, making easy to find jit generated code that belongs to the malware code (and interesting malware's data referenced by the jit generated code).

Original Packed Sample: 40e751c032c75d33c807219b2de6c584

Source Url: hxxp://54.38.22[.]53/spike/svchost.exe

Info Url: URLhaus

Automatic Generated Report: PepperMalware Report

Virustotal First Submission: 2018-06-10 16:37:46

Other AlphaIrcbot samples at Any.Run: 

asdjdsffdgnms.exe (2018-08-19 10:25:54)

KFDJfd.exe (2018-11-16 00:26:10)

jjunpkvyalquru.exe (2018-09-01 21:40:15) 

Any.Run Tags: alphaircbot

Related links:

https://hackforums.net/showthread.php?tid=5875152 

http://offensivecommunity.net/showthread.php?tid=76358

https://urlhaus.abuse.ch/browse/tag/AlphaIRCBot/ 

https://yck1509.github.io/ConfuserEx/ 

https://github.com/Loksie/KoiVM-Virtualization

https://docs.microsoft.com/en-us/dotnet/framework/tools/sos-dll-sos-debugging-extension 

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-managed-code 

https://mindlocksite.wordpress.com/2017/02/11/easy-way-to-unpack-confuserex-1-0-max-settings/ 

 https://github.com/CodeCracker-Tools/MegaDumper